Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
10/08/2024, 09:28
Static task
static1
Behavioral task
behavioral1
Sample
2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
Resource
win7-20240708-en
General
-
Target
2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe
-
Size
1.3MB
-
MD5
8a586a05ecf91b8874351731012d18ff
-
SHA1
af1e1fdc40e98cc82a4c73060407b7c072a3a6dc
-
SHA256
1573a03279d54ebce66b91825a6cdab0a123792c7c77077e9edbc64eb5078a3f
-
SHA512
72acdfec4247006959ea16fe022f73663db1ab947c37a7974f1510143cab8daaa84a20ea2956b7377e1c2f0ab400405f4523050c357873a014f5f9dd0ba69702
-
SSDEEP
12288:GtOw6BaTMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:46BvSkQ/7Gb8NLEbeZ
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4916 alg.exe 4880 DiagnosticsHub.StandardCollector.Service.exe 1560 fxssvc.exe 3444 elevation_service.exe 3944 elevation_service.exe 3552 maintenanceservice.exe 3640 msdtc.exe 2860 OSE.EXE 3724 PerceptionSimulationService.exe 4076 perfhost.exe 4020 locator.exe 5068 SensorDataService.exe 1772 snmptrap.exe 3888 spectrum.exe 708 ssh-agent.exe 4484 TieringEngineService.exe 936 AgentService.exe 4116 vds.exe 4924 vssvc.exe 1960 wbengine.exe 4520 WmiApSrv.exe 3948 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Windows\System32\alg.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Windows\system32\locator.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\accd3eb4352c8123.bin alg.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_82781\java.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000893b39a407ebda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000792eaaa307ebda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007cf751a307ebda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000058bc56a307ebda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000016954fa307ebda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d61e59a307ebda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ecaa24a307ebda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe Token: SeAuditPrivilege 1560 fxssvc.exe Token: SeRestorePrivilege 4484 TieringEngineService.exe Token: SeManageVolumePrivilege 4484 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 936 AgentService.exe Token: SeBackupPrivilege 4924 vssvc.exe Token: SeRestorePrivilege 4924 vssvc.exe Token: SeAuditPrivilege 4924 vssvc.exe Token: SeBackupPrivilege 1960 wbengine.exe Token: SeRestorePrivilege 1960 wbengine.exe Token: SeSecurityPrivilege 1960 wbengine.exe Token: 33 3948 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeDebugPrivilege 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe Token: SeDebugPrivilege 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe Token: SeDebugPrivilege 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe Token: SeDebugPrivilege 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe Token: SeDebugPrivilege 3412 2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe Token: SeDebugPrivilege 4916 alg.exe Token: SeDebugPrivilege 4916 alg.exe Token: SeDebugPrivilege 4916 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3948 wrote to memory of 636 3948 SearchIndexer.exe 111 PID 3948 wrote to memory of 636 3948 SearchIndexer.exe 111 PID 3948 wrote to memory of 2792 3948 SearchIndexer.exe 112 PID 3948 wrote to memory of 2792 3948 SearchIndexer.exe 112 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-10_8a586a05ecf91b8874351731012d18ff_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3412
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4916
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4880
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3464
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3444
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3944
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3552
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3640
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2860
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3724
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4076
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4020
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5068
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1772
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3888
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:708
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4492
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4484
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:936
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4116
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4924
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4520
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:636
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 8962⤵
- Modifies data under HKEY_USERS
PID:2792
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD571983268d5c990adec98dd5c13d16aaa
SHA1e53b9ba88ea15aca0a19b930b94d13a9b5c76cb4
SHA256436f0b78a616c2c92ad7ccc7a3be0d208725083593143bd935e9971b6ee50d09
SHA512f8ce1e976e9b4f88b76850475dbf6c1d7e2318ae5e8e3045d49efc61b7fc44d822da53830854106637beae70360f211633d245a6b8b770baac22b594510ea345
-
Filesize
1.4MB
MD5ac6c7e19dc14268a0889bf393f69cb45
SHA1959f5280f7ee28849652acb1c4e6214a42fcf115
SHA256a9491eec58b0f3931be8be90f31fb8573d3659df48db27896cb9f026215448ee
SHA512c12bdf8d8a97bf4667da294d72ce8475d2f7641c9ab1cb562f508c028889966ec46782e613ebc2fb08c3fa8da7303b84012cdff3cf5a84c94ec542cbd99b2552
-
Filesize
1.7MB
MD541d363cb5fd51b682fe35b92b3729a7e
SHA1b67752bf09a86198cd999a0f3d08530c8a79cc52
SHA2560774543b3126bd7147acd8c3e03a3dd0635b91806adee437a361bb8b06b708bd
SHA512e8715863ec5b4934a69aa9e309416a84139e2920fe32919e8e1be4e36ee65af3b931a6f736f97e67d8226f6f802669cabe54068d0ed603fb489edaf2a308eda1
-
Filesize
1.5MB
MD5fa6e250b3f8f3f0edfd4960ed09398bd
SHA1a2dab2e14bf135cc5fcdd81854c1b366016959ca
SHA2569f0fd1d3b1d93ed810004ae942391fcffc6f2e5a062966601889e1271e69b685
SHA512fad9998eea57e5744f550d0be10ee55e1c632cbdf071efae7ee76ac7748cd906f85d6d302609c87230633c3bcefd27805f4b089599b1cafbe57f70a176716280
-
Filesize
1.2MB
MD565ab96b6c731759ee9054d30d247a772
SHA14baad85229550209b8f86a11d8584c0203845b7a
SHA256e1ee77fc27b5c19de2f2665531a6e21b5ad5562d6f1cdec674e1aa7776c880db
SHA5125e21a63a239f7ef0c0229d74d0a93e49fcdbf35d03fc8280af2809cfba319e95c25850f8b5c09d7617ae94be558244fc77d70ea60987caa1273f2bb99b226ac7
-
Filesize
1.2MB
MD53749f52a66ac24d2dea4d404494669b3
SHA1274d96e790452b931b8e11f6ae12b6f013042922
SHA2565b1a7fff4e21045b4d7d360021f3a04739912c9438518f79173cd434cbd78462
SHA512c3e7159121210d7c723f094143b11608fd3c1209044b16a42334c09b5109ab5c55c2c70bef91f6f3a35ef44020c89e089d47b5bd263f04a2bbcc40534012c40b
-
Filesize
1.4MB
MD5ae02ba56a73f73f03e8e6ae02ba87737
SHA1fc97f55297546e83126e99d002c226b85d0d4d78
SHA256b9ab6221a6ef93b9c3429bd2ec83ccc32313554bfead71a1ec32581048db538b
SHA512caae1f7bc30460f46874f6a430dd4ee06f096d323f8f15c62645791e1198bd331ff00bacf7ada9d9ed7f24b6ac77ed59c3790b16fcd61cb23992fd5516c0c057
-
Filesize
4.6MB
MD5ee856db40f414b32782c0f8fc09a9e14
SHA1f488fccef53a9ba271a5130c79f479c98d7194cb
SHA256e5097be2ecdd25a46e4504b7d3a333872bf76b7c884c6634030326372883a8e1
SHA5129bb7bae7f7f2cbab7d5b7993673e907841d24b5f148e9fb147b2ee7539d11a977fc2f76f465f05919bd89a86682dce19fd6e3b29b92f762cf1e7d41cf1b0feb2
-
Filesize
1.5MB
MD59a4369f58294139cb0114d6245790e27
SHA1f85e1787a717c672cb35abb9dd99f5fa44e5b866
SHA25635a87dd1dd0ba99c30c137cb9ed9d97281f31d58d56eb581680b694a9a245eea
SHA51237f5da562bbca52c579061d681c893645fcae506343bb881fe142430f37407fe66e974fb8db030194174be0871af1dc7d43011e2b6798957947b57a3d403cdba
-
Filesize
24.0MB
MD5c2b03f4acff167266f3b66abfdf7fa95
SHA1623f3cb78a53f459ccbab65f5372ff62cdc3ecc1
SHA2566e96c347d0e844dfb99fe3d65208fff481aed1b49d70a792670d00aad8a5ae10
SHA512b908b7d66945da09e90a0bb9891dca9e52c1df9233672183701c5fac71d0ff459bd806b9fa662b67a8c93535d51320877ebd0821d82669535c333ea4230ca2de
-
Filesize
2.7MB
MD5572107781ad3dd31c2712151c1704cd8
SHA1d6d4acf1775da03e5e96b0c52c1e1219f695ec1d
SHA25675b3eef5c5dba0358144f33f39ecff8ebbbdd96e39c761cdc191c0222d46194b
SHA5121a6183fe4683c19b1d7fb2c3205d6b6674b706aa26ab9824b6cc7622090058a4972276129db54c1d4ef54ec2439e682706c5bb123f70f6eacdb1c3666a0a1e1f
-
Filesize
1.1MB
MD5d6fb66bf02150c1723f0969cf1806d19
SHA14d21a1c45624129cea5f544a5cd464a6ae8a094e
SHA256e528542ee2c130c778c572e216bf2863d8ee716e45ae7b40473641a4a60d9f74
SHA51218883bf4150fe6f1a4d26f95ebb1f6521e6c7336858c44ac776bfa59a4070205688a921d83ceb6e34ee4e33045ebd66ca26f470436b7b3f8be88682f8b26a0a2
-
Filesize
1.4MB
MD5cfb1f164aae191efb6f6d845ccea1f9a
SHA18a4c55df700bd7afa031c70ba6ec85969425313a
SHA25630fd188179fa069364b277ead8dee5a1ad317eaba586427309a9e45a60b43fc7
SHA5124af0367bc715ef059f5cfa2c8d3fe83f04f2fd169d8f55a401753ccbc104671564d5ff79e08b2685ce57ba4d6e795cd0fa6f15340c0e4a08b070405ebd36b34d
-
Filesize
1.2MB
MD5523e8e9f1714d6d87dd866477a46f1ab
SHA16befe906461518f5f877ce4d8485582ac1c74ccb
SHA256a115c25a1fa464d6a95f3a6db0985a76d9438782942aed74558d9d5843130fbb
SHA512c253fc1a755f28f34d3a752bf6b0e6a2263437a662fffddaaf767e70c2c5a1d261fe374ddf8fd7288a663c4ce3d9b482c5755adfd8741854bade7a0b1b515e87
-
Filesize
4.6MB
MD5183b161505d97f276e4da8fa37267108
SHA11458ebb20e8855b21aa524ee9f9ec6e88e1c7245
SHA256341ed7c09b64aac9a3717252892ef3ff930c7164b04d53343cb3bb07948d4943
SHA5128f18d5112cb5d5cb4d749282d23dcba444ac085df5ec0759b6005787bf91d887e77323e48e8e22c90a0297e1244669cfc67b760666ed60065f397cbd63af5f69
-
Filesize
4.6MB
MD5370a783749e9a366e6125272ce21bcb7
SHA1019ae15117efdeba99a4531465e0abf6fe3340ca
SHA256bf7db27fe54cc77adab540f0db82dfacd4191d0ee788c233787b39a29dea69a1
SHA5125f7c2721e7f89239dc8e34bef44d07bb158189388f123374520e303856f5878e1a4bc5c7bb08d273d5584c57458d556f9db863c6459ec36a98c8dd063db3e2d6
-
Filesize
1.9MB
MD5ef284fc6056dbfc7b51429402e97ceaf
SHA1ee8e78e3570a599085de9b756b1b105cc711f43c
SHA25682e61a1d064090b619e79d329cd540696672634296544905f0af481e6508ae56
SHA512b0d7f6d0a498ccfb5f4c4d2dbf0b2e46b012f4ca7b227e9f35506799fe6d44759a79391079ca71bfbf08d1cfe95f23ede71df74d0cd1a362dc36c7463ab3d213
-
Filesize
2.1MB
MD536e4a87df2ac9fb0f452fa815bf3ff5d
SHA10465f5acef942b3cacdca88dc5af459828aabcf2
SHA25627c441fc9e5f7de528775289d683d68984bd3d5ebcaa25b4580bc249269386f4
SHA512af711eedd83cf87baf3faee9f75a784ee9d7fbd67a6d7645b2da756735c23c98aeb666e2adfe564c2bec38352b6b46a05d2601def6480aa88556aa93840736a1
-
Filesize
1.8MB
MD5959a656fa5cf39ce0b7afa9580fe5c5e
SHA122d3e07d0264c4252add529ba2d80a0fbfe6cc91
SHA2563c3f05adf72b5251d333dd1925c5af0607cf576c231cb03ba56a638af2ef2662
SHA512369c88e9d59a965c56bc18dfaf0080c10279f8850f72279d9673987bccd97aa0c17b5bf76126f80318c56a0e8ccb9fd9eae92ecb4dbd0521bd9ca02c61ace637
-
Filesize
1.6MB
MD56da7f1e591dadb71e9ae430e1887e2c4
SHA121b3da58c4158b42a83e7e3b49ffe258a4a42685
SHA2566f8f32ac51cd7a0db92d5adabad2a23db82c8c96d97acad4959c58da8bbeff66
SHA5122dfa54c49afc86cb16228e016b5d7ded5f5be008ee9a927314c20322317bb2248e2ada1b9419928b638b7e0052a5b83e85951cc14c50ae00c2f5704614207d8f
-
Filesize
1.2MB
MD5b9cbc0864e2c8a507e0a79259c24380d
SHA1ef22585e326671a23bbdca5dfb93e60c6b24c3e5
SHA256b4b076188f6a4728135b2d0f1ab615d09af246a47a289006c72945dbcdea9172
SHA512823caaa46b528b95079a2b46af618fe17691f4377825e4932d5ca994e792343352942e5dcb49e30a2c861b6cc11ca3a98c6d22159c0f4763050f3d6e23c07414
-
Filesize
1.2MB
MD5544ad4dac9926ae2fa474e60f6eaec30
SHA178822262ccecf228aa960b348087ce39eb1de482
SHA256c26102371ee06bcac753a0a78604042f635bd4650eceb49ca5bfe91e3c77f266
SHA5125eeaa78261e77a2b05b774a19bf7fa143ef3ff97bd57208d7489571cfd485e1cb51eb3f0956a0b7df459916a4384659633bdc54f5ad83ac8886b81770c0513b9
-
Filesize
1.2MB
MD5404a8fdcb7569956cb0fca03a59ed72b
SHA12eac7aad200e12e11a90657bbe6cd905f0e0fa9c
SHA2568ffcc9deb6a23ab2fc962cd7f477f9f8764834c08f6214c5b50ff1b5878697b2
SHA512d1caeaf8d378b9460a35f1d1586a95f8cfbb5c0423430b614f08ad7f9b636c9f48e7a51ffba0dca633818b1de54e12d695830ad48ad18f4177b9999ac124a740
-
Filesize
1.2MB
MD5d31efc03c2e5369716ae3d7fc38dd87c
SHA15eb989feeac7932e38d385c9e4a9b40d87991904
SHA25623d2a4ec9d1908af18bb4dbe036e2f7859d37bc3e848f739a5b5369b37913cc2
SHA5120a9e207ee19aff8d3c4f7908b574a77712511f8f1b18cec1a034b958f9d2931225ce3df46a26e37b994f2471160087cb8e1b3e7c1a65b6d86d532fb4a67cb127
-
Filesize
1.2MB
MD50996afb017be12609c93ce09b7ac06c1
SHA195c9b1bedc70bd76690b71cc96fca00c6cef9b14
SHA256fc87b949f240567da2c838e136dfc0de1437113b32140468e5a83936bebcfc24
SHA5127019525d0c40f85daa34be4bd59507345a1d5583a4be9fdeb9d230f7950eb55d1d71b9abaaf90491c0226df0768795986dc2fba18e14074e54442bcccd6b88b0
-
Filesize
1.2MB
MD518ef095d023db1b12bbb45b26d96c32a
SHA162c54a006b41688731d4233ff8f195f3b66393c2
SHA2563a3b4b698592c56d0e538b26f23f082078a5e507127e11407946a27a8db2e67d
SHA5127d798375c9018812e4bdb99dcce8567da154b4bf32417caa2c0f60427d4374b0b848ac975128eeeea43eafe505a94453b725038970f6223bd6348d635e309be9
-
Filesize
1.2MB
MD528396a5f4cf1309a251ad441dc5a90e0
SHA11d0269ea9fd506782eacf378f79f6c7688ea167f
SHA2561160e745f784402f6c1c54fff50a339ea792f705b72e61257705d458c80b21f6
SHA512dd02f81534deddb681c9f2d8b50a9dc685f07eeb4d508d69d8b844fe717bbb45c4b721f8f7e8bed24cf04b1ba42e9136fd3eda0573329f813d19d5d9743f504e
-
Filesize
1.4MB
MD5652882cd14258cd392ef39c9534fcfc2
SHA17a198457c47f9db91496cb272f219feab85bc2bb
SHA256cd0b701d5f14ad193b066f29983179d6e8d62dad0b0045d3a1bcdf7d8b330433
SHA51273a83237f7bb5bc1e11c0e2ee4d64015c1c24c8fbb5e48992840e59eafa3e63fa86dd239a82c856e36cf64574245cb41f39f35d37442117c14e39f6010a5bf44
-
Filesize
1.2MB
MD51f156fa5ab0693288b6e8999758c9c50
SHA18c100bbc6828b5ebf25416eb5cfd17306dd94c3d
SHA256cd4c5ba291397784ee19475a3f8f425c1cf3f5b4aaed70856809fb9fa9699cda
SHA5127049dc0bbc9fdc7252d7d2484c4d3b53e31d70808a2c16f9fb8f7c6790f7baa242a80283319b999470455a74b9f45561a6ce7fcf77a229ba3c9a91ef0218166a
-
Filesize
1.2MB
MD55c9f477c1365708c1dac439d0bd9f081
SHA1accb62a916e7583d2c76507d17568b004e08e8fc
SHA25629ae280bb1242d4489acf044529ba8585e6766a63ec4a60330b54c480bcc0497
SHA512d974138c7bd1db193679eddbb8e3e86a6fb34c66070141d651b2cfcd1137e2e8e141a30d6ab3c7b02b23a8e9af6b20e769cd373eaf141a891d9ab40c424f96e7
-
Filesize
1.3MB
MD57052edf97ebe5e10bf21733a9a22bd1c
SHA19764960932b2f84ed8e17de5fec298ee83f6fd10
SHA2561f61f41b44490c5f019cfbd23a52c836c4b88fc9b6eb9fdd19d3d8382fcd6994
SHA5129b210f5886e771c7ef290280a95ba385c136fe43b5a9bc85aca5bb0e106bac40096ae4cbb7e22f8a515f7e8a9f8469338c29f122463fb61f5ec997bd20f28a71
-
Filesize
1.2MB
MD5462ed60a2224aca51ccdf6baa7828e0c
SHA1822199762ef9261b2d586273fae289e5a8cf549f
SHA25680fc06223103a4ad2ebfd2e4656eec8f3fef3fa2b400765170643b8f44bb8617
SHA512883e9499de00ebab7574ec5cfa3602e1afc51650c857f0724a685f5720572d2a349eb3b646d95294956f4ef0937fe3e3b5c7bbef7fd2e6465195370d201bb18b
-
Filesize
1.2MB
MD5f68c3ae8abe7ab4d25848bb9a1a8db52
SHA143b7a8314f43b8482592b0e0ecb6b9b9c746312d
SHA2569babb39373cdffb7a3ed915bb2d0c52686be9554168ce2bd5436089257a3227f
SHA512cf8cce67573c308127c91b713b4fb6de599a1872cabe800aa2b970e051a1edce367528a3eda820f88be2685be3b2b23c2f111cde5ffec2ee96e07aadb54c2a07
-
Filesize
1.3MB
MD5f55fc771edf4cf02f684aed0ac1e5a42
SHA1b474af15fafac2e40c69f542b53e54e1a7bde708
SHA256c614bb9ee69d96bae6ff083d8240eb29699710c9e940f57460e00c3cf38188b6
SHA512e7fa878ee77a3af779846ad36fad3b3ae01b7a02531e072f21b1ffae41a4aead7232527e302e458d64778e7ae45968fae07cd55bdbf00ee2f6c9c5f11cdb3ae1
-
Filesize
1.4MB
MD59f47c1db432c6d52509ed669f4d278d5
SHA1acc509f2696b4393f66afb19b35f07c164cd3354
SHA25646c16aec5fa7a6d3b3e58dc4b314504f6f6ae169011693555bb0cfc79f746e19
SHA512051bbb175be127cfdc40810baad14fa19085d6f8b946a8d09dd53f7de92dbc531a9e950d61cf1842c8a7bfc12c58f703db37e9f74882979a5cfd08b3b0b567d8
-
Filesize
1.6MB
MD59d26f99faf14edafd0cc7edc77fa3e18
SHA1d2ba907402058511960fd3196a4e3a285deb8e94
SHA256e40629f2951eca0135e3d61309a14ff6b59ad3835fe4cc8176f7227b850d199e
SHA5127b3c26816d043c58a51face281681a1f7b24c68227ca955622f22d4c9616467d60c9940e5e8e8ed9db76adfff0160b656a1d3065c2bf64a6f22f7de96189e1d9
-
Filesize
1.5MB
MD53ae7ee59b95d2558b4f97d451c67b2b2
SHA140f50c63b7948ac2c23904bfb2e9a10c57fb322b
SHA25646ed995317e4899163903cd27e4065a91c38a3fa0bcc250a176a867d54514c31
SHA5120b70cc7c1703675321a9a46793978e463dad2d7feaf416db3ff99c280b2a19d708d9f84cb4ec089f0c5eb7e40be597135d645fd9fae6283a36b4d3d4396040f2
-
Filesize
1.3MB
MD5f9cc33c2eaa78552f8ff038374235cc3
SHA11422a43050f91a5cb9847c537918699970b350d5
SHA2566c76f4712841dc7e846230419fabd088b31fd30ac00558e2abfdb6ba8a293f08
SHA5124fb52d9ae58fecb255541d76cad3d1ef2f989a948785584ddcb1988dc7160751b6390476932b3965cf094a4c84ebbbcd9c4a2da080eeb3185317376ce417adc2
-
Filesize
1.2MB
MD55740b398ed8ad2f6e0c231fa0375872e
SHA1b000c10797d6fa6676526af2207b6fdab669fc23
SHA25616bd72aa44794533c5a2319ab113014964d75493ec435aef21d0bdd7de99b1f2
SHA5125c125dc7e93c112aa17732440b1c8e0e2b9b0c05c5ddaa2110978bb2e16680569312f57dfc117024663f732549cf67f52224741665ac94f5ab6a1b75cd8b49ba
-
Filesize
1.7MB
MD51ab87a15b43466dbdf15a0aa69451a6e
SHA145c4bfd8f9de6b89a46a823303ebd95593f7bd11
SHA256011b6c1178a2acc00b7477a98e52e3129fe16454ea8fa410ce0e636cad3859b2
SHA512dfc2930a0627c0f4c73be1489df42f8964a9c72bbf75fb759668a005b0ba805e434c87a8da6f049b4a991b892903ea52e0500c382c75216628a7c81dba3cc331
-
Filesize
1.2MB
MD541152e18d7554852b230a77cfe2564cc
SHA1fdfd776e0225952da19c21f571f16104a2c24023
SHA256a60ca33b71147703afb1466f55b4fe534957a981d350260eae229b139a3c42ad
SHA51284643d1ecaedc174a73e03e89524f5c78c9f0669daaa8f528cc68e5a9807991c97d92c2eaf359803b7b49b4cae287e0292f30bf0252cbf5f64ce417be2d3699c
-
Filesize
1.2MB
MD56a32ca8f5da50cd4be2db579b92bcc7b
SHA166bee7ebc965eb9fc63c9bb7df584005cbb03c70
SHA256db307c4ae8080e28bf85cea75878d482bb86e3a1cd583a6d53313954dd52f27f
SHA512e276a0d519dab47d30734a4fbbc9746b350bdfd44022940099c62d97aca94a4fc884e9b2f603681aa2158abaa7e871a72fd7f29844810a8922f39764c150d019
-
Filesize
1.2MB
MD576bca3dd190f9f55867bd5031dbb80e4
SHA19e41d81497e9289fae6ad03f007b659cc4e72df9
SHA25622dfef889764410f0f60775afc3a830540d5d2b913ba6e8fad29fd3fe8193dc4
SHA51262c5f3823d051ac9f0dcdba2ce838e170c21daa472a0240d544d1f01dab9acd2cbc11ce33e59bd20a13bb09ebc86356f018c48131d7c92533dc6808c973b5635
-
Filesize
1.5MB
MD5978455e637a17872de00d7cdc81f2b93
SHA1413cc14e960691b6e2433a805284863fc398c651
SHA2564853da76aa961aecb1fb1c0d22c34f7871e7e61110b74eb597339c5d658c92a3
SHA5126fb41a7d51cc28cf6b9f584b1a0006bf892bf6183a5e8cd70af182208843eed28060288eaf9e58fb2575d0b5f36121f5ad961834e6e67371ea51269d58468c40
-
Filesize
1.2MB
MD51d06a3db045f9d52fc6c75533356dc13
SHA121045f7e94d4c14a67791cedaffafb5707998f57
SHA256b6b14702142e7d8cf2f178df7fc3bb61cce32145076e57528f295d65a4668520
SHA5124024f1a430678563a5a70e06c97e1d0d440558c3db0e59b110e0f7f70a9ee3dde9e7ad5fd4c6da768edcbf648e2a8538e28e5f1c2c88757c38ad62e6929d2151
-
Filesize
1.4MB
MD547576f9369452eed2ea9101697040746
SHA1c30f48269ddfad6dbe13dbf3987842b3375210d4
SHA256c748869280d244f3eed1ea46fbe88cc38c0656e8ca72d7d9ab99e47d7c043b85
SHA512ca1d0bb240c2425529dc61a5ee9c2dfe53818d1babdcc47a2b3c532cf35e8589d1325aec8ae8619304c535a709f93382220b78635625d23f8cb227999c509f46
-
Filesize
1.8MB
MD517bc73e9bf36f23d063bdd7e4bf89889
SHA1725544195a19e31a56fb9c23ec8d719802a6bc6b
SHA256e5e3f90ff9d04a669c4a0e76c03a89583cd0c6f78123209ad8b6c2f18a1fe7ac
SHA51225217c7ff703cc05c05e5fc096971133e2be2875dbabb993e91398319a2837901099da04050a0a111d01244941e710f951195b669f0f1bc01a330a11cada92b6
-
Filesize
1.4MB
MD5a56d89a2004e887dabef0e13455e7905
SHA123c6c4281011e74c1e1698185bf6f58058c936ff
SHA256bb9e2e28e5e33970db70e686c449bc03edb6203a4e8e2fe1728e82a702e3cdb8
SHA512afae359116e4767c0352a2898be1ba7ba6ecfdcb0e8de070919d6978bf6f77d618aaa09637178df60f71948c9ed8c5d008c841c9bd181bb92bead9a5733ae7ea
-
Filesize
1.5MB
MD58ae8cc91a39854c08f9755cf0ce92410
SHA17431e50386162bdac169f313fc559438ea45faf7
SHA256c1f1cc4f794a28835913046fdcca69ebe97effea58fa923c4614c6afab1d5d4e
SHA51258756dcd1002e37f07e033e6971fb511fb8bb32044d2c25392751f6147d892cb002f4dbafdd2f6a0dca73dae0b75d6294835f1e2b0fe55378487ac35269bbcc8
-
Filesize
2.0MB
MD5c3cbf5f880131b89403587f66efb5ee4
SHA1279c7d8eb20a389c164d5597bf0ca3a6ae7fe727
SHA2565be8ded85bbff9e20e0bee8ca606a68127185a92c6f287b8fa26216cdecc8a96
SHA512d4994e00e6e8c18de1187cf4ab26673960acdc89b22ff56df9d52617aa64dc02283cda00215b4658b4b0d7ff9754fe32fa116570b83546eb7e29d738fbac943b
-
Filesize
1.2MB
MD5979b98c889c1ad65d3de241a609c5a26
SHA1e6319ed32d07863baa3dad51fcaf0fda1b4a4823
SHA256e6df1a3507cbb123b7631f05b5c281e11012b37b9d302703ee4c876e44032bee
SHA512d0eea9f318fa9b90ad535c343c4557fc2d0eb995615a7e5ccbe7803cfe84a3750deb1ec51fa34b645aaa9bb8dce4ad8da176a6b908005bfb50a5d8012e4e6a42
-
Filesize
1.3MB
MD5b99903cf3849d2f8f00de64683d8fa42
SHA1d94a0e624445c9799cd009e2bffd7cd071d4f367
SHA2562be24ac2195af038000e6798c5ba1ea0c49e474f886491feb908ea9edaf13abf
SHA51259bdf2b2148da6ed17f2e927596b59f60372df03088c8c5d2e86dbd183986837dc509f7c90c090842508936d7a0ac7bf7c3d8cf999f8efb98b786e3101524f90
-
Filesize
1.2MB
MD5d67aa78a704c86288617add20a838f56
SHA1105826d26bdddabe3d3b66803c15ba735d03aba5
SHA2561bc4f682cf3d009f7372b1dc92b2a75ffe38be910a99eae7d79b0a9845f8f4ef
SHA512cba9c90d36241ff6d2e85bef24e4b73d4f26d89ad50d1fb2cf0444d5b42730de8e82dce871ef5d748c69a3a8421ed33e16673c072a3570cc39003274b7fc2ec7
-
Filesize
1.3MB
MD52550828d25d0dcf2c8cf02b42b45b8d0
SHA13649dde116342165ebc8015e9af35ddc9b1d1103
SHA256b04eacd08a668c5e5c439995aedf5dcfa6cf0d8d199168877953e175262363b2
SHA512707ac4035f43b8be217f50b17f31e983523b6cd507f45a72f09b72fe13962b211f653159b9840546a6f07bebad5bb734bbe53794fbc54e59923aa6871a8f6ff7
-
Filesize
1.3MB
MD5c0a8f97fec60d994f44cfb9dc30a6a03
SHA1df5aebd7c134ebbf57e1e39601ff2ab39c08a1b5
SHA256efd4a079bf51aef9a4602926ef6bbd27cd20fa43126503c8f2fb6db2d47601df
SHA5129d51ccdef41b7c5b4be73b4360e05e9ff177544d8e003877dd0c59ab052f9e7896199668d935207382050f9c1fdf4f7bb4249608b0f0e262a906d2c7d78ece0f
-
Filesize
2.1MB
MD55e0a484e711d6f2675fc7e0c9d35703a
SHA1161682213a43706f08d85c5b65688f57a3aec32b
SHA2567338565e980bee2974bbd43b2f12a6be7d6124a124ea05fe7e68ea77bac35048
SHA5124dcbd6df85de6b36d0c79a37cb8e8fe49716fa5e56e526c3fa3a5152ccc53130bd1c196c3716742ba9ae53fe1b7a77f2019473bcdff1dc1ff8016f417e0a1506
-
Filesize
1.3MB
MD5bf9a54e934edf9f5faf45bc86fd16838
SHA1364f2f1671ca201603f69ab9d338b6afa49543f1
SHA2561f07df5c85a7fb82362abfc841e08caf450c5d1c62e15856212e8b81d175f8c5
SHA512b3d533c38cc3c06faa6dc5835472bc9304cd81c29935c8fe3e55e441396b10fecc66c7d854f6d68ee44b25bb9f683f105e8a0cdc60a38ea96a512428d845cbe8
-
Filesize
1.4MB
MD5caafdfd99cc04122e08dbd4a5290fa33
SHA13d9967f4a202783bbb87bbee5f88f24a50cd3b41
SHA256216a5b6ccad9e54f0920cd32afda7bfc94fae27d6904e2818578ed9a47f79e09
SHA5129a2f26d0e50e36260cf7327cf773e2873383d7235d27930bfaa0a755d818121c131fe7277f055fa7a4686235aa51a032223170fd03a69735c2b82f8065319909
-
Filesize
1.2MB
MD5cf42c74045556ab4b569f9c91d46960a
SHA1b3df58fdf12404265f5a30667ee8ed941671fddc
SHA256c86ff851b9fcab65ab732755ac95cacef2e6d513e5a043b2eff45334b1d91e89
SHA512bcd1e959f5a913f2e2edf1841ce007b96ebc0f58c41792c73513178769cc65c92a277babb6b243a43d29d8878caed4dcf6375bcfd5f6ce5b3bf886f3437cdb3b